SmartHawk

2.8

中危

61 个模型检测该样本为恶意！

重新分析

下载样本

058a6f353b025bb1654c6906f8caec83911db26e633a9840eac055ec34645836

058a6f353b025bb1654c6906f8caec83911db26e633a9840eac055ec34645836.exe

分析耗时

269s

最近分析

399天前

文件大小

180.2KB

静态报毒动态报毒 CVE FAMILY LOLBOT METATYPE PLATFORM TYPE UNKNOWN 更多 WIN32 TROJAN BACKDOOR LOLBOT

DACN 0.12

FACILE 1.00

IMCLNet 0.70

MFGraph 0.00

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.12	Unknown	0.06s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.03s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.70	Unknown	0.22s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	None	20190527	0.3.0.5
Avast	Win32:Rbot-GQG [Trj]	20190830	18.4.3895.0
Baidu	Win32.Trojan.Agent.apt	20190318	1.0.0.2
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0
Kingsoft	None	20190830	2013.8.14.323
McAfee	BackDoor-FAI	20190830	6.0.6.653
Tencent	None	20190830	1.0.0.1

可执行文件包含未知的 PE 段名称，可能指示打包器（可能是误报） (1 个事件)

section

yxbxhpw

在文件系统上创建可执行文件 (1 个事件)

file	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

投放一个二进制文件并执行它 (1 个事件)

file	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

搜索运行中的进程，可能用于识别沙箱规避、代码注入或内存转储的进程 (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545303.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: taskhost.exe process_identifier: 2868	success	1	0
1727545303.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	success	1	0

重复搜索未找到的进程，您可能希望在分析期间运行一个网络浏览器 (50 out of 100 个事件)

Time & API	Arguments	Status
1727545303.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545303.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545304.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545304.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545305.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545305.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545306.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545306.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545307.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545307.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545308.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545308.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545309.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545309.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545310.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545310.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545311.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545311.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545312.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545312.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545313.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545313.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545314.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545314.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545315.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545315.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545316.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545316.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545317.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545317.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545318.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545318.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545319.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545319.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545320.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545320.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545321.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545321.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545322.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545322.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545323.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545323.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545324.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545324.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545325.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545325.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545326.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545326.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545327.406375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed
1727545327.906375 Process32NextW	snapshot_handle: 0x0000003c process_name: jusched.exe process_identifier: 2504	failed

与未执行 DNS 查询的主机进行通信 (2 个事件)

host	114.114.114.114
host	8.8.8.8

操作本地防火墙的策略和设置 (1 个事件)

registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Creates known LolBot Backdoor files, registry keys and/or mutexes

生成一些 ICMP 流量

文件已被 VirusTotal 上 61 个反病毒引擎识别为恶意 (50 out of 61 个事件)

ALYac	Gen:Variant.Ulise.36283
APEX	Malicious
AVG	Win32:Rbot-GQG [Trj]
Acronis	suspicious
Ad-Aware	Gen:Variant.Ulise.36283
AhnLab-V3	Backdoor/Win32.LolBot.R2281
Antiy-AVL	Trojan[Backdoor]/Win32.LolBot
Arcabit	Trojan.Ulise.D8DBB
Avast	Win32:Rbot-GQG [Trj]
Avira	TR/Patched.Ren.Gen
Baidu	Win32.Trojan.Agent.apt
BitDefender	Gen:Variant.Ulise.36283
Bkav	W32.OnGameDSAJ.Trojan
CAT-QuickHeal	Worm.Duptwux.A4
CMC	Backdoor.Win32.LolBot!O
ClamAV	Win.Trojan.Lolbot-6804733-0
Comodo	Backdoor.Win32.LolBot.GB@48x7ig
CrowdStrike	win/malicious_confidence_100% (D)
Cybereason	malicious.9fa26b
Cylance	Unsafe
Cyren	W32/LolBot.A.gen!Eldorado
DrWeb	Trojan.DownLoader5.5739
ESET-NOD32	a variant of Win32/Agent.TNE
Emsisoft	Gen:Variant.Ulise.36283 (B)
Endgame	malicious (high confidence)
F-Prot	W32/LolBot.A.gen!Eldorado
F-Secure	Trojan.TR/Patched.Ren.Gen
FireEye	Generic.mg.bbd30c39fa26b2d9
Fortinet	W32/Rbot.GQG!tr
GData	Gen:Variant.Ulise.36283
Ikarus	Backdoor.Win32.LolBot
Invincea	heuristic
Jiangmin	Backdoor/LolBot.ic
K7AntiVirus	Trojan ( 001f4ea51 )
K7GW	Trojan ( 001f4ea51 )
Kaspersky	Backdoor.Win32.LolBot.gen
Lionic	Trojan.Win32.LolBot.mwaL
MAX	malware (ai score=82)
Malwarebytes	Worm.AutoRun
MaxSecure	Win.MxResIcn.Heur.Gen
McAfee	BackDoor-FAI
McAfee-GW-Edition	BehavesLike.Win32.VBObfus.cz
MicroWorld-eScan	Gen:Variant.Ulise.36283
Microsoft	Worm:Win32/Duptwux.A
NANO-Antivirus	Trojan.Win32.LolBot.cqyqex
Panda	W32/Ircbot.DAC.worm
Qihoo-360	HEUR/QVM19.1.8D23.Malware.Gen
Rising	Worm.Win32.FakeFolder.ak (CLASSIC)
SUPERAntiSpyware	Trojan.Agent/Gen-LolBot
SentinelOne	DFI - Malicious PE

288x288

224x224

192x192

160x160

128x128

96x96

64x64

32x32

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2001-02-21 19:14:40

PE Imphash

7568fd2720750e36a6992434b5b7efe9

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x00009186	0x00009200	6.435645698328684
.rdata	0x0000b000	0x000014f8	0x00001600	5.4499370075091305
.data	0x0000d000	0x00001404	0x00001400	1.8950858140478448
.rsrc	0x0000f000	0x0001d000	0x0001cc00	0.7439050511674513
yxbxhpw	0x0002c000	0x00018000	0x00004200	0.0

Resources

Name	Offset	Size	Language	Sub-language	File type
RT_ICON	0x00012798	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x00012798	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x00012798	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_DIALOG	0x00013120	0x00000090	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_GROUP_ICON	0x000131b0	0x00000030	LANG_ENGLISH	SUBLANG_ENGLISH_US	None

Imports

Library KERNEL32.dll:

• 0x40de30 GetModuleHandleA

• 0x40de34 GetLastError

• 0x40de38 Sleep

• 0x40de3c GetLocaleInfoA

• 0x40de40 GetFileTime

• 0x40de44 FileTimeToLocalFileTime

• 0x40de48 FileTimeToSystemTime

• 0x40de4c GetLocalTime

• 0x40de50 GetStartupInfoA

• 0x40de54 VirtualAlloc

• 0x40de58 VirtualQuery

• 0x40de5c HeapCreate

• 0x40de60 HeapDestroy

• 0x40de64 HeapAlloc

• 0x40de68 HeapReAlloc

• 0x40de6c HeapFree

• 0x40de70 HeapSize

• 0x40de74 HeapValidate

• 0x40de78 CloseHandle

• 0x40de7c ExitProcess

• 0x40de80 RtlUnwind

• 0x40de84 GetSystemTimeAsFileTime

• 0x40de88 GetFileType

• 0x40de8c GetStdHandle

• 0x40de90 GetCurrentProcess

• 0x40de94 DuplicateHandle

• 0x40de98 SetHandleCount

• 0x40de9c GetCommandLineA

• 0x40dea0 GetModuleFileNameA

• 0x40dea4 GetEnvironmentStrings

• 0x40dea8 FreeEnvironmentStringsA

• 0x40deac UnhandledExceptionFilter

• 0x40deb0 SetFilePointer

• 0x40deb4 ReadFile

• 0x40deb8 GetConsoleMode

• 0x40debc GetConsoleCP

• 0x40dec0 GetConsoleOutputCP

• 0x40dec4 WriteFile

• 0x40dec8 SetStdHandle

• 0x40decc DeleteFileA

• 0x40ded0 SetConsoleCtrlHandler

• 0x40ded4 MultiByteToWideChar

• 0x40ded8 CreateFileA

• 0x40dedc WideCharToMultiByte

• 0x40dee0 SetEndOfFile

L!This program cannot be run in DOS mode.
.rdata
@.data
yxbxhpw
UEf:MZt
U8SVW]
U4SVW]
PEPEPEPh
t<;t"SPl
ZuM8MuHh
9|F9|E
|9]s#SY
OQJ9<@
u%}M<@
JMWzUzUW
WBP9<@
PSh@=@
|^J9u8]
|ZKYM9
@t. E@EF
)1_^[]
C<tP3
C<PYC<
CHC,CHC
CHC0CHC
C(C _^[
)1_^[]
RPh0F@
2f4qBft
f9tf9u
BCNu1^[
PSVWeh
YM_^[Md
H,PPJYtM
KHK,KHK
KHK0KHK
u-SY1~
t`CHPC
C(C C(
C4S8#1^[]
CBC9r[
EUEUEU
t^CHPC
11_^[]
uCCH9C
)RPSST
)PVSSX
s01_^[
uYCH9C
0tJ0t<
VC20XC00U
11111]^
USVWUj
t9|$$t
;t$$v,4v
PX1tPQ1
UXSVWh
URPVEP
?"u.G+t
GE?\tE
LYEPEPE
u@E>=t
u@E>=t
t E@E=
E)_^[]
8tBt8t/t
{:lt'S
u&C,Pj
+C +C$+s(fC8
uR~N~H v
U~,EPh<@
U~,EPh]@
~O{ ~H v
U~,EPh]@
~.C$PC
~L{(~E v
U~)EPh]@
tE~A~; v
~#Vh<@
PEPEPQ
 EU_^[]
UR)RRP
t_8tWt
U\SVW]
E;E|sC
E9s"C4
WCYE_^[]
U@SVW]
RPWV(
RPWV@
fc8-{,
}'fC8f
U\SVW]
]at7At2E
E@EEAu
fEfEuf}
E0uwEW
OfMF>0tft
EPEPEPEPEPE
VY(EHu 
EURPWE
PEPEPj
e_^[]U
PgfffX
U$SVWf]
~0EE@EBE
9}#E@E=
 t5BfE
WVS1D$
EEU^[]
Ft.fC8
C$C,C(
C,C,HC,}
C$fC8f
C(;C4}
PgfffX
PgfffX
EPxYRMLE
f~ffff
EEU^[]
f fKfx
.dedxde
%s/Downs/%supdatetdux.hlp
dwntdux.hlp
%s/Private/%s%s.hlp
%sPfile.hlp
%s/Ups/%s%s
\Java\VirtualDevice.vxd
ProgramFiles
poilroigtj
.pcpi.trdmftoo
814275
545159
poh-nil.t.roisdtgtjoee
861942753
ohoohh
ohucgh.firoo.pohhon.
uep.msetkx
.s1rw1R1e1uf1n1te.S1i1ea1u1r1rt1.1V.Co1o1nr1n
e.gteeixrde
JUthnaac8uvdSdSapee
JUthnaac,uvdSdSapee
JUthnaac.uvdSdSapee
JUthnaac_uvdSdSapee
JUthnaac-uvdSdSapee
JUthnaacuvdSdSapee
\Java\jre-08
\Java\jre-07
\Java\jre-06
\Java\jre-05
\Java\jre-04
\Java\jre-03
\Java\jre-02
\Java\jre-01
gFsomeralPri
\RLN06530
\RLN06527
\RLT6990
\RLT6989
\RLT6988
\RLT6987
DtlgeaAelVeReeu
CtygaeAeeKxRreE
oePari.recFtutMSrtiipSnsaldzLereiati.eeecllYt.rlPeinvsrnhoCtdryeiSrSaPrdstisedonu.As..cTohmooAtCc.warsrSc.SAaElaelfp
bd:ael*nE::
leeexthEuSlcA
l.e2lh3lsld
01234567890123456789012345678321456
PipFAtteFul
01234567890123456783136469012345678
etsnteoaennlHlIrCed
GipFAtteFel
etnAtentnnocIrCe
etnteennpIrOA
i.ntlielwnd
CegsyeoeRlK
SaEgVeetuARelx
OKxgnEeeyRpeA
a2lv3ldidap.
aieFAreeCtl
snoaelHlCed
c3xosersNPe2t
c3rosirsFtPe2s
CerstrPedertcIGunos
aoe2pteTh3aorelpnhCtolSs
VmfantunmoelIriGoeotA
WoitAtdDcyenserGiwro
LcrSntiDeiAeglvrsGoaitg
DeetvpeiyGrTA
eilFAeeeDtl
oitAmDcyeeerRvro
dsnoilFCe
dtenxlieiFNFA
dslnriiiFAFFte
yeploiCFA
EreabtimVaAevntieGnonrl
MllmtuiaedFNAGoeee
aitAeDcyreerCtro
FAieterteltuASitbs
erebyrirFLa
drAabyoirLLa
MlnAtuaeedHlGoed
PAetcreodsGrds
n2lr3leldke.
0123456789abcdefghijklmnopqrstuvwxyz
(null)
                                
00000000000000000000000000000000
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
0123456789abcdef
0123456789ABCDEF
0HwZ<s
A0123456789ABCDEF
0123456789abcdef
 -- terminating
signal #
termination request
invalid storage access
arithmetic error
invalid executable code
interruption
Error #xxx
Unknown error
Multibyte encoding error
Directory not empty
Function not supported
No locks available
Filename too long
Resource deadlock would occur
File positioning error
Range error
Mathematics argument out of domain of function
Broken pipe
Too many links
Read-only file system
Invalid seek
No space left on device
File too large
Inappropriate I/O control operation
Too many open files
Too many files open in system
Invalid argument
Is a directory
Not a directory
No such device
Cross-device link
File exists
Device or resource busy
Bad address
Permission denied
Not enough space
Resource temporarily unavailable
No child processes
Bad file descriptor
Executable file format error
Argument list too long
No such device or address
I/O error
Interrupted function
No such process
No such file or directory
Operation not permitted
No error
jre-09
aavd9apeJUt
JUthnaac9uvdSdSapee
New Folder
GetModuleHandleA
GetLastError
GetLocaleInfoA
GetFileTime
FileTimeToLocalFileTime
FileTimeToSystemTime
GetLocalTime
KERNEL32.dll
GetStartupInfoA
VirtualAlloc
VirtualQuery
HeapCreate
HeapDestroy
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
HeapValidate
CloseHandle
ExitProcess
RtlUnwind
GetSystemTimeAsFileTime
GetFileType
GetStdHandle
GetCurrentProcess
DuplicateHandle
SetHandleCount
GetCommandLineA
GetModuleFileNameA
GetEnvironmentStrings
FreeEnvironmentStringsA
UnhandledExceptionFilter
SetFilePointer
ReadFile
GetConsoleMode
GetConsoleCP
GetConsoleOutputCP
WriteFile
SetStdHandle
DeleteFileA
SetConsoleCtrlHandler
MultiByteToWideChar
CreateFileA
WideCharToMultiByte
SetEndOfFile
-kkeJ/
.nnnnnnnS8
/qqqqqqqqqqq\@$
tttttttttttttttfI3
wwwwwwwwwwwwwwwwwwwpS<
zzzzzzzzzzzzzzzzzzzzzzzz\E&
}}}}}}}}}}}}}}}}}}}}}}}}}}M
H((wf,
I33lfZ
KUUmfh
[~lR7#
Rqqqqq\G+
0uuuuuuuuugQ4
1zzzzzzzzzzzzzz\>
2}}}}}}}}}}}}}}}}}r
w)dgu6
Hg3&;wG
D9#?^}
!u}M9&
uphW;$
uvwy|ypbJ-
|{{{{|}
}quw{
3492e4e2ac9382feac9382feac9382feac9382feac9382feb041147460cb11fc24c9f03dd8a0bb66845ca4692c61cf3070450cb24f9dae03407daf3d8976ec343a06f8fcd5004e48db4b7648db4b7648db4b7648db4b7648db4b7648db4b766c78a9c34599086eca60c64ef8b917d461f21f884438ccd876540ae46c78a9c36c78a9c36c78a9c3f7ce1f006621af5cd89d18446ec08dcefad77a026c78a9c36c78a9c32c7ea5531aa797e98144ff83600f36afb0b2b6c759a0054ec6144de57a68dc9520175c19933c292bc5a821b8a285ca979262c3c4e00001ff71e7251b7298ac3e9a90c2abb920c14449cae67a7b98412de9f06c78a9c36c78a9c36c78a9c35aa6175e48db4b76156e647c7ef29be22ecb16a48ea3f7788c2175466fc51d886c78a9c350eeb2d26bad6a761cbd06a96c78a9c36c78a9c3a652ddf830494104b1ef738a3a928aa71d2c847dd493db8bdbd9de2f60bb226cecd919cc0384442
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(null)
@@@@@@@@@
@@@@@@@
@@@@@@@@
pdnmClass
pdnm Program
MS Shell Dlg

Process Tree

058a6f353b025bb1654c6906f8caec83911db26e633a9840eac055ec34645836.exe (2996) "C:\Users\Administrator\AppData\Local\Temp\058a6f353b025bb1654c6906f8caec83911db26e633a9840eac055ec34645836.exe"
- jusched.exe (2504) "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"

058a6f353b025bb1654c6906f8caec83911db26e633a9840eac055ec34645836.exe, PID: 2996, Parent PID: 2400

default registry file network process services synchronisation iexplore office pdf

jusched.exe, PID: 2504, Parent PID: 2996

default registry file network process services synchronisation iexplore office pdf

Hosts

IP
114.114.114.114
8.8.8.8
209.202.252.54

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
hohoho.ho.funpic.org
griptoloji.host-ed.net
ftp.tripod.com	A 209.202.252.54	209.202.252.54

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	56933	114.114.114.114	53
192.168.56.101	138	192.168.56.255	138
192.168.56.101	58485	114.114.114.114	53
192.168.56.101	58485	8.8.8.8	53
192.168.56.101	57665	114.114.114.114	53
192.168.56.101	51758	114.114.114.114	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

Source	Destination	ICMP Type	Data
192.168.56.101	114.114.114.114	3

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name	f163c62c72748681_uf
Filepath	C:\Program Files (x86)\Java\jre-09\bin\UF
Size	26.0B
Processes	2996 (058a6f353b025bb1654c6906f8caec83911db26e633a9840eac055ec34645836.exe)
Type	ASCII text, with no line terminators
MD5	`ac42fcbe17137c9e75a3d649ff55c054`
SHA1	`f0d6b569f7d65935604783d10040d6ddbd2fb4da`
SHA256	`f163c62c72748681126cbb1b801c7dea485a77a01747de0ce78179cc13984551`
CRC32	`79ADA70D`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	aed9a582daecff9d_jusched.exe
Filepath	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
Size	180.2KB
Processes	2996 (058a6f353b025bb1654c6906f8caec83911db26e633a9840eac055ec34645836.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d3f15b5d4e38f4a8dda0a65a16ae94a9`
SHA1	`ce154dc078420b6f3acebdd676a8eb7ffe381278`
SHA256	`aed9a582daecff9d34496ca092b89f0ad053291eba57cc063c5a0f03f4ce6092`
CRC32	`ECBE8D2E`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Sorry! No dropped buffers.